Hi @jkressin,
I am using ELK with searchguard in kubernetes environment. I want to use Istio (mtls) that takes care of pod-to-pod TLS communication.
So i want to know if there is a way to disable TLS within searchguard and only enable its authentication/authorization features?
@srgbnd,
Since we are enabling mTLS on all pods (using Istio), we would want to remove the transport layer tls when SG is enabled, so that communication between all pods would be encrypted by istio’s mTLS.
Also, one more clarification:
Transport layer - would mean inter-node communication between elasticsearch nodes using port 9300.
REST API - would mean communication between any client (could be logstash, fluentd, curl etc) to elasticsearch and would use the port 9200.
Is this understanding correct?
Right, the transport layer is used for internal communication between nodes in a cluster. Transport port range defaults to TCP 9300-9400. REST API in our case is SearchGuard programming interface, for example, Access Control | Security for Elasticsearch | Search Guard. The API port defaults to 9200.
Thanks @srgbnd. A follow up question to that: Istio rotates certificates on a regular basis. Once the certificates change, is it sufficient to just run SGadmin to update the new certificates? Or would we need to restart elasticsearch as well?
Ok, thanks for the information @srgbnd Point noted
I have few queries about using searchguard with istio:
If searchguard has been tested with istio in your labs, can you please provide us with any specific configurations required for the setup.
With istio in PERMISSIVE mode, it worked for us. I had
disabled tls on the rest layer in searchguard
providing certificates for node to node communcation (transport layer)
provided client certificate (-- keystore) to run SGAdmin.
With istio in STRICT mode, with same settings as in point2, it does not work. It throws the below error -
/usr/share/elasticsearch/plugins/search-guard-7/tools/sgadmin.sh -cd $SG_CONFIG_DIRECTORY -ts $TRUSTSTORE_FILEPATH -ks $CLIENT_KEYSTORE_FILEPATH -cn $CLUSTER_NAME -kspass $KS_PWD -tspass $TS_PWD -h $HOSTNAME -nhnv -dg
Search Guard Admin v7
Will connect to mahe-ee-belk-elasticsearch-client-776c898cc8-f2bvb:9300 … done
10:35:40.048 [elasticsearch[client][transport_worker][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{mDp4h8d5TbCo6lws76uVGw}{mahe-ee-belk-elasticsearch-client-776c898cc8-f2bvb}{192.168.41.162:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:352)
Is client certificate and trustore certificates (the arguments --keystore & --truststore) mandatory to run SGadmin ?
It means that the certificate you use can’t be validated against the root or an intermediate certificate. Something wrong in your certificate chain. Check your certificates using tips from the Troubleshooting TLS doc.
Can we run sgadmin without passing any certificates at all? (i.e. no pem, jks, or *crt) Something like - “./sgadmin.sh -cd /path/to/sgconfig/ -nhnv -icl” ?
We want to run ELK+searchguard with istio. We have disabled tls on the http(rest) layer in searchguard, but as we know, on the transport layer, tls cannot be disabled.
Now, we want to re-use the Istio’s certificate as the node certificate for searchguard’s transport layer. Can we re-use the same certificate as admin certificate too and run sgadmin using this ?